Category Archives: conferences

Post navigation

[Posting this here to help get the word out – Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org

PETS features leading research in a broad array of topics, with sessions
on network privacy, database privacy, anonymous communication, privacy
policies, and privacy offline. (The PETS 2009 program is here.)

Like last year, we also present the HotPETs workshop, which showcases hot new research in the field.

We will also be presenting the Award for Outstanding Research in Privacy
Enhancing Technologies to researchers who have made an outstanding
contribution to the theory, design, implementation, or deployment of
privacy enhancing technology.

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle.

As I think about how to deliver each of these talks, I think about what people will want from each. From a keynote, there should be a broad perspective, aiming to influence the agenda and conversation for the day, the conference and beyond. For a technical talk, I’m starting from “why should we care” and sharing experiences in enough depth that the audience gets practical lessons they can apply to their own work.

Part of being a great presenter is watching others present, and seeing what works for them and what doesn’t. And part of it is watching yourself (painful as that is). Another part is listening to the masters. And in that vein, Garr Reynolds has a great post “Making presentations in the TED style:”

TED has earned a lot of attention over the years for many reasons, including the nature and quality of its short-form conference presentations. All presenters lucky enough to be asked to speak at TED are given 18-minute slots maximum (some are for even less time such as 3- and 6-minute slots). Some who present at TED are not used to speaking on a large stage, or are at least not used to speaking on their topic with strict time restraints. TED does not make a big deal publicly out of the TED Commandments, but many TED presenters have referenced the speaking guidelines in their talks and in their blogs over the years (e.g., Ben Saunders).

Ironically, he closes with:

Bill Gates vs. Bill Gates
Again, you do not have to use slides at TED (or TEDx, etc.), but if you do use slides, think of using them more in the style of Bill Gates the TEDster rather than Bill Gates the bullet point guy from the past. As Bill has shown, everyone can get better at presenting on stage.

I’ll be doing some of both. As both Reynolds and Bill understand, there are better and worse styles. Different styles work well for different people. There’s also a time and a place for each good style of presentation. Understanding yourself, your audience and goals are essential to doing any presentation well.

Of course, style only matters if you’re a professional entertainer, or have something interesting to say. I try hard to be in the latter category.

If you’re in Johannesburg, come see both talks. I’m looking forward to meeting new people, and would love to hear your feedback on either talk, either on the content or the style.

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.

But I did I promise to tell you what I wanted to get out of it. My goals, ordered:

A successfulResearch Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?

See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.

The law don’t mean shit if you’ve got the right friends
That’s how this country’s run
Twinkies are the best friend I’ve ever had
I fought the law
And I won

I blew George and Harvey’s brains out with my six-gun
I fought the law and I won

I learned about Harvey Milk, but didn’t really remember George. I learned who he was from Milk, the movie.

When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context of human life. Most hacking incidents are annoying, some have real financial impact, and some few have the potential to do real and irreparable harm.

So as we go to the Moscone Center, remember the murders committed by an authorized entrant into city hall. When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context, and remember George Moscone and Harvey Milk.

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together in a book, “The New School of Information Security.)”

The content is really exciting. From the opening with a top rated speaker, Betsy Nichols, who’ll be talking about “Crunching Metrics from Public Security Data” continuing to Gene Kim’s talk about applying real analysis of practice to virtualization and a great panel talking about lessons learned from Election 2008, this track is just packed with hard facts and practical analysis.

Because I’m so excited by this, I’ve put the data into a Research Revealed .ics file you can use to bring these into your calendar.

I also extracted this table from the RSA website (it was hard to link), so you can easily see the track:

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more than a decade, CFP has anticipated policy trends and issues, and has shaped the public debate on the future of privacy and freedom in an ever more technology-filled world. CFP focuses on topics such as freedom of speech, privacy, intellectual property, cybersecurity, telecommunications, electronic democracy, digital rights and responsibilities, and the future of technologies and their implications. Researchers who work in any of these areas are invited to submit research abstracts.

We seek research abstracts describing recent or ongoing research in all areas relevant to the conference themes. We are especially interested in research abstracts that present results with clearly articulated policy implications. Abstracts should be written for a general audience and should avoid using technical or legal jargon.

Submitted research abstracts can be either unpublished original research (including work in progress), or research that has been recently published (2008 or 2009).

This is a great opportunity to get interesting work in front of a diverse audience. I’m on the program committee, and we’ve extended the deadline — all you need to submit is an abstract — to Friday the 10th. Check it out.

Metricon 4 – The Importance of Context

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:

The program committee will also consider any innovative security metrics related workHow to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to
metricon4@securitymetrics.org. These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your
proposal.

I’d like to talk about why I see it as a tremendous positive, and will be doing it again.

First, it engages the audience. There’s a motive to pay close attention and share what you hear. They’re using their laptops for good, not evil.

Second, it multiplies the attention to the talk. The talk was standing room only, but the room held fewer than 100 people. The people who tweeted had 5,300 followers. Now, that’s total followers, not unique (does anyone have an easy way to calculate that?) It’s also unlikely that many of them were reading Twitter or read backscroll, but it seems like an ok guess to say that 200-500 people saw some mention of the talk on Twitter.

Third, it promotes the audience from passive to engaged (although that wasn’t a problem for my audience, I’ve seen it in other talks). They’re no longer just listeners, they’re interpreting, quoting, and generating additional content as we engaged around the ideas in the talk.

A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what the solutions should be. Questions remain concerning the scope of security breach laws, their effectiveness, and cost. Critics argue that notification laws are wasteful and that most breaches aren’t connected to identity theft. Supporters say the laws create vital incentives to safeguard information and reveal hidden cracks in security.

The symposium begins with a session on California’s security breach law and continues with a look at current research and proposed reforms by the state’s top policy makers and scholars.